Securing a computer for experimental research and writing

If your data is on a device that’s connected to the internet it’s safe to assume someone will take a hack at it even when you took proper precautions. This is my practical guide for going a step deeper and working on sorta top secret projects. Modify this to suit your needs, and use at your own risk.

Basic rules

Stock up on old computers. A secondhand Thinkpad T460s from eBay is a great choice under $150, but you may have other needs: Something with newer specs, an all-in-one PC, a SoC computer like a Raspberry Pi, a Beaglebone, or an ASUS Tinker Board. Just make sure it can run the software you need and fits your performance profile. Keep in mind you will need to do work on it so get something that won’t give you trouble. Having a variety of computers on hand will give you the opportunity to set up cheap ad-hoc workstations when you need them rather than violating security protocol for convenience.

Have a backup plan. Consider the backup needs of each computer. Not everything will need full disk imaging, but every computer that is backed up should have its own backup media. Consider full-disk encryption on top of encrypted backups.

Dedicate a separate computer for research. Connecting to the internet opens up your entire network to potentially being compromised. Be mindful of the metadata trail that you leave such as search history. Use browsers and search engines that don’t track you like duckduckgo. Use a combination of private VPNs, TOR, or self-hosted proxies to mask yourself further. If you need to download any files make sure you have a procedure in place to sanitize them before bringing them into a safe zone.

Do your actual work on air-gapped devices. This means all your programming and writing work is done on computers that don’t have a network connection. Physically disable wireless by removing the network card. Prefer bootable DVDs and traditional install media for installing software. SoC computers like the Raspberry Pi use SD cards which usually need to be configured on another device. In this case do this from a secured computer. Flying under the radar with internet-free devices such as George RR Martin’s DOS machine might be another good play depending on your needs.

Don’t use email. Use some other protocol for sensitive communication, preferably something with end-to-end encryption like Telegram.

Use isolated networks when needed. If you need to network devices together you should set up a network that only secured devices can connect to. Make sure there’s no path to the internet through any other device that’s connected to this network. Make sure that the networking gear–routers and switches and hubs–all have wireless features disabled so you don’t have any unexpected visitors.

Move swiftly. If your work is worth doing, it’s worth doing fast. Finishing faster means you no longer need the supporting infrastructure and no infrastructure means no attack vector.

Security through obscurity is underrated. Making a virtual hall of mirrors is one part of the security meta-game that’s not given enough credit. Take full advantage of unique configurations to not be noticed, just don’t rely on it solely.